³×ÀÓµ¥¸óÀ» nobody·Î ¿î¿µÇϱâ
³×ÀÓµ¥¸óÀ» nobody·Î ¿î¿µÇϱâ
Scott Wunsch,
scott@wunsch.org
¹ø¿ªÀÚ ÀÓ½Âȯ
kilhan@kldp.org
v1.0, 13 March 2000
ÀÚÀ¯·Ó°Ô È°¿ëÇϼŵµ ÁÁ°í ¹ø¿ªÀÚ°¡ ´©±¸ÀÎÁö ¾Ë·Á Áּŵµ ÁÁ½À´Ï´Ù. ¹ø¿ª¿¡ ¹®Á¦°¡ Àְųª ¼öÁ¤Çϼż Àú¿¡°Ô ¾Ë·Á ÁÖ½Ã¸é ¾÷µ¥ÀÌÆ® ÇÒ¼ö ÀÖµµ·Ï ³ë·ÂÇÏ°Ú½À´Ï´Ù.
ÀÌ ¹®¼´Â ´ÙÀ½°ú °°Àº copyright¸¦ °®½À´Ï´Ù.
Copyright ¨Ï Scott Wunsch, 2000. This document may be distributed
only subject to the terms set forth in the LDP licence at
http://metalab.unc.edu/LDP/COPYRIGHT.html. This HOWTO is free
documentation; you can redistribute it and/or modify it under the terms
of the LDP licence. It is distributed in the hope that it will be useful,
but without any warranty;
without even the impled warranty of merchantability or fitness for a
particular purpose. See the LDP licence for more details.
°³³äÀ» Á¤¸®Çϱ⠺¸´Ù´Â ½ÇÁ¦ÀûÀ¸·Î À¯¿ëÇÏ°Ô ¾²Àϼö ÀÖµµ·Ï ¼³Ä¡¸¦ Áö¿øÇØÁÖ´Â
¹®¼·Î ÀÛ¼ºÇÏ¿´½À´Ï´Ù.
ÀÌ ¹®¼´Â BINDÆÐÅ°Áö¸¦ ¼³Ä¡ ÇÒ¶§ Ãß°¡ÀûÀÎ º¸¾È»çÇ׿¡
´ëÇÏ¿© ¼³¸íÇÑ´Ù. ±×°ÍÀº bindÆÐÅ°Áö°¡ 'chroot'¿ÜºÎ·Î Àаųª ´Ù¸¥
Çã°¡±ÇÀ» °¡Áú¼ö ¾øµµ·Ï ¼³Á¤Çϴ°ÍÀ» ÀǹÌÇÑ´Ù. ¶ÇÇÑ ÀÌ°ÍÀº 'root'(½Ã½ºÅÛ
°ü¸®ÀÚ)ÀÌ¿ÜÀÇ »ç¿ëÀڷμ ¼³Á¤ÇÒ¼ö ÀÖµµ·Ï ÇÒ°ÍÀÌ´Ù. chroot¿¡ µÚÀÇ ÀÌ
°úÁ¤Àº °£´ÜÇÏ´Ù. BIND³ª ´Ù¸¥ ¾î¶² processµµ chroot ¿¡¼ ¼öÇàµÇµµ·Ï Çϸé
chroot Àܸ̿¦ º¸°Å³ª ´Ù¸¥ filesystemÀ» Àд°ÍÀº ºÒ°¡´ÉÇÏ´Ù. ¿¹¸¦ µé¸é
ÀÌ ¹®¼ ¾È¿¡¼ BIND¸¦ µð·ºÅ丮/chroot/named¿¡ chrootedµÇ°Ô ¼³Á¤ÇÒ °ÍÀÌ´Ù.
±×·¸°Ô µÈ´Ù¸é BIND·Î½á´Â ÀÌ ¹®¼°¡ ÀÖ´Â ÇöÀç µð·ºÅ丮¸¦ / À¸·Î ¾Ë°ÔµÈ´Ù.Áï
chroot ¿ÜÀÇ µð·ºÅ丮¿¡ ´ëÇÑ Çã°¡±ÇÀÌ ¾ø¾îÁö´Â°ÍÀÌ´Ù. ¾Æ¸¶ Anonymous
FTP·Î ¼ºñ½º Çϴ°÷¿¡ ·Î±×ÀÎ ÇÏ¿´´Ù¸é chroot¿¡ ´ëÇؼ ¾Ë°ÍÀÌ´Ù.
chroot·Î BIND¸¦ ¿î¿µÇÏ´Â °ÍÀº ¾ÇÀÇÀûÀÎ »ç¿ëÀÚµé·ÎºÎÅÍ BIND¸¦
¿î¿µ½Ã ¹ß»ýÇÒ¼ö ÀÖ´Â À§ÇèÀ» Á¦ÇÑ Çϱâ À§ÇÔÀÌ´Ù. °°Àº ÀÌÀ¯·Î BIND¸¦
root(½Ã½ºÅÛ ¿î¿µÀÚ)°¡ ¾Æ´Ñ »ç¿ëÀڷκÎÅÍ ¿î¿µÇÏ°íÀÚ ÇÑ´Ù.
¹®¼ÀÇ ÃÖ±ÙÀº ´ÙÀ½¿¡¼ ¾òÀ»¼ö ÀÖ´Ù.
www.losurs.org/docs/howto/Chroot-BIND.html BIND´Â the Internet
Software Consortium ¿¡¼ Áï
www.isc.org/bind.html ¿¡¼ ¾òÀ»¼ö
ÀÖ°í ÃÖ±ÙÀÇ °¡Àå ÃֽŠ¹öÀüÀº 8.2.2_P5 ÀÌ´Ù.
1.4¿Í 1.5´Â »ý·«ÇÕ´Ï´Ù.
wrote this document based on my experiences in setting BIND up
in a chroot environment. In my case, I already had an existing
BIND installation in the form of a package that came with my Linux
distribution. I'll assume that most of you are probably in the same
situation, and will simply be transferring over and modifying the
configuration files from your existing BIND installation, and then
removing the package before installing the new one. Don't remove the
package yet, though; we may want some files from it first.
If this is not the case for you, you should still be able to follow
this document. The only difference is that, where I refer to copying an
existing file, you first have to create it yourself. The DNS HOWTO may
be helpful for this.
These steps worked for me, on my system. Your mileage may vary. This
is but one way to approach this; there are other ways to set the same
thing up (although the general approach will be the same).
My BIND experience to date has been installing on Linux servers. However,
most of the instructions in this document should be easily applicable to
other flavours of UNIX as well, and I shall try to point out differences
of which I am aware.
(¿øº»±Û¿¡¼´Â named »ç¿ëÀÚ¸¦ Ãß°¡ÇÏ¿´½À´Ï´Ù. ¹ø¿ª±Û¿¡¼´Â nobody¸¦ »ç¿ëÇϱ⿡
´ëºÎºÐÀÇ °èÁ¤¿¡¼´Â ÀÌ¹Ì »ý¼ºµÇ¾î ÀÖÀ»°Í ÀÔ´Ï´Ù.)
/etc/passwd ¿¡ ´ÙÀ½À» Ãß°¡ÇÑ´Ù.
named:x:200:200:Nameserver:/chroot/named:/bin/false /etc/group ¿¡ ´ÙÀ½À»
Ãß°¡ÇÑ´Ù. named:x:200:
¼ÐÀ» /bin/false¸¦ ÁØ°ÍÀº ·Î±×¿Â ÇÏÁö ¸øÇÏ°Ô Çϱâ À§ÇÔÀÌ´Ù.
´ÙÀ½°ú °°Àº µð·ºÅ丮 ±¸Á¶¸¦ ¸¸µéÀÚ.
/chroot
+-- named
+-- bin +-- dev +-- etc | +-- namedb +-- lib +-- var
+-- run
ÀÌ¹Ì ±âÁ¸ÀÇ BIND¸¦ ¼³Ä¡Çϰųª ¿î¿µÇØ¿À°í
ÀÖÀ» °æ¿ì named.conf³ª zoneÈÀÏÀÌ ÀÖÀ»°æ¿ì chroot º¹»ç(À̵¿)·Î º¹»ç´À
À̵¿À» ÇÑ´Ù. /etc/named.conf ´Â /chroot/named/etc ·Î zoneÈÀÏÀº
/chroot/named/etc/namedb·Î ¿Å±ä´Ù. ¿¹¸¦ µé¸é ´ÙÀ½°ú °°´Ù.
# cp -p /etc/named.conf /chroot/named/etc/ # cp -a /var/named/*
/chroot/named/etc/namedb/
¸¸¾à master°¡ ¾Æ´Ñ slave·Î bind¸¦ ¿î¿µÇÏ°íÀÚ Çϰųª ±âŸ ¿©·¯°¡Áö ÀÌÀ¯·Î
BIND°¡ zoneÈÀÏ¿¡ Çã°¡±ÇÀÌ ÀÖ¾î¾ß ÇÒ°ÍÀÌ´Ù. ´ÙÀ½¿¹¿Í °°ÀÌ ¼ÒÀ¯±ÇÀ» ¹Ù²ÙÀÚ
# chown -R named:named /chroot/named/etc/namedb (Âü°í·Î º»ÀÎÀº nobody·Î
¿î¿µÇϱ⸦ À©ÇßÀ¸¹Ç·Î # chown -R nobody:nobody /chroot/named/etc/namedb
ÇØÁÖ¾ú½À´Ï´Ù.)
BIND´Â ¶ÇÇÑ /var/run¿¡ pidÈÀÏ°ú ndc¿¡¼ »ç¿ëÇÏ´Â socket¸¦ ÀûÀ»¼ö ÀÖ´Â
Çã°¡±ÇÀÌ ÇÊ¿ä ÇÕ´Ï´Ù. µû¶ó¼ ´ÙÀ½¿¹¿Í °°ÀÌ ¼ÒÀ¯±ÇÀ» ÁÝ´Ï´Ù. # chown
named:named /chroot/named/var/run (Âü°í·Î º»ÀÎÀº nobody·Î ¿î¿µÇϱ⸦
À©ÇßÀ¸¹Ç·Î # chown -R nobody:nobody /chroot/named/var/run ÇØÁÖ¾ú½À´Ï´Ù.)
BIND¸¦ chroot¿¡¼ ¿î¿µÇÏ°Ô µÇ¸é
chroot¿Ü¿¡´Â Çã°¡±ÇÀÌ ¾ø±â ¶§¹®¿¡ ¸î°³ÀÇ ÈÀϵé(ƯÈ÷ ½Ã½ºÅÛ ¶óÀ̺귯¸®)
ÀÌ ÇÊ¿ä ÇÕ´Ï´Ù. ¾Æ·¡ÀÇ ¸í·É¾î´Â ÇÊ¿äÇÑ ¶óÀ̺귯¸®¸¦ chroot¾È¿¡¼ ÀÐÀ»¼ö
ÀÖµµ·Ï ÇØÁÖ´Â ÀÛ¾÷ÀÔ´Ï´Ù. º¸ÅëÀÇ LINUX¸Ó½®¿¡¼´Â ÀÛµ¿µÉ°Í ÀÔ´Ï´Ù.
# cd /chroot/named/lib # cp -p /lib/libc-2.*.so . # ln -s libc-2.*.so
libc.so.6 # cp -p /lib/ld-2.*.so . # ln -s ld-2.*.so ld-linux.so.2
BIND°¡ chroot·Î ¿î¿µµÉ¶§´Â chroot¾È¿¡ /dev/nullÀÌ ÀÖ¾î¾ß ÇÕ´Ï´Ù.
/dev/MKDEV ÀÇ ¸Þ´º¾óÀ̳ª mknodÀÇ ¸Þ´º¾óÀ» È®ÀÎÇØ º¸½Ê½Ã¿ä.
¾Æ·¡ÀÇ ¸í·ÉÇàÀº º¸ÅëÀÇ LINUX¸Ó½®¿¡¼´Â ÀÛµ¿µÉ°Í ÀÔ´Ï´Ù. # mknod
/chroot/named/dev/null c 1 3
¸¶Áö¸·À¸·Î /etc µð·ºÅ丮¸¦ chroot¾È¿¡ ¿ª½Ã ¸¸µé¾î¾ß ÇÕ´Ï´Ù. ±×¸®°í
/etc/localtimeÈÀÏÀ» chroot¾ÈÀ¸·Î º¹»ç Çؾ߸¸ BIND log°¡ Á¤È®ÇÑ
½Ã°£¿¡ ±â·ÏµÉ°ÍÀÔ´Ï´Ù. ¶ÇÇÑ °£´ÜÇÑ groupÈÀÏÀ» »ý¼ºÇؾßÇÒ°Í ÀÔ´Ï´Ù.
´ÙÀ½ÀÇ ¸í·ÉÇàÀ» Âü°í Çϼ¼¿ä
# cp /etc/localtime /chroot/named/etc/ # echo 'named:x:200:' >
/chroot/named/etc/group (óÀ½¿¡ ¸¸µé¶§ ¿øº»¿¡¼ GID 200À» ÁØ°ÍÀ»
ÁÖÀÇ ÇϽʽÿä Àú´Â nobody·Î »ý¼ºÇϱ⠶§¹®¿¡ echo 'nobody:x:99:' >
/chroot/named/etc/group ÇÏ¿´½À´Ï´Ù)
sysclogd¸¦ ÅëÇÏ¿© ·Î±×¸¦ »ý¼ºÇÏ´Â ¹æ¹ýÀº µÎ°¡Áö°¡ ÀÖ´Ù°í
ÇÕ´Ï´Ù. ÀÌ°ÍÀº ½Ã½ºÅÛ ¸¶´Ù ¼³Á¤ÀÌ ´Ù¸¦¼ö Àֱ⠶§¹®¿¡ RedHat¿¡¼ »ç¿ëÇÏ´Â
ù¹ø° ¹æ¹ý¸¸ ¼³¸íÇÏ°Ú½À´Ï´Ù.
º¸Åë syslogd´Â ´ÙÀ½ÀÇ ÈÀÏÀ» ÅëÇÏ¿© ¿î¿µµË´Ï´Ù. /etc/rc.d/init.d/syslog
ÀÌ ÈÀÏÀ» ¾Æ·¡ ºÎºÐÀº °íÃÄ Áֽʽÿä daemon syslogd -m 0 À» ÀÌ·¸°Ô daemon
syslogd -m 0 -a /chroot/named/dev/log
°íÃÆÀ¸´Ï µ¥¸óÀ» À籸µ¿ ÇϽʽÿä.
# /etc/rc.d/init.d/syslog stop
#/etc/rc.d/init.d/syslog start
¾Æ·¡¿Í °°Àº ÈÀÏÀÌ ¹ß°ßµÇ¸é Á¤»óÀûÀΰÍÀÔ´Ï´Ù.
/chroot/named/dev
srw-rw-rw- 1 root root 0 Mar 13 20:58 log
´Ù¸¥ ¹æ¹ýÀº.. If you have an older syslogd, then you'll have to find
another way to do your logging. There are a couple programs out there,
such as holelogd, which are designed to help by acting as a ``proxy''
and accepting log entries from the chrooted BIND and passing them out
to the regular /dev/log socket. ÀÔ´Ï´Ù.
www.isc.org/bind.html ³ª ´Ù¸¥ ¹Ì·¯ ½ÎÀÌÆ®¿¡ °¡¼ ÃÖ½ÅÀÇ bind¸¦ ±¸ÇÕ´Ï´Ù.
(confusingÇÒ¼ö ÀÖ´Ù°í ÇÕ´Ï´Ù. ^^)
±âº» µð·ºÅ丮´Â /var/runÀÌ°í ÀÌ°ÍÀº chroot¾È¿¡ À§Ä¡½ÃÄÑ¾ß ÇÕ´Ï´Ù.
ndc¶ÇÇÑ ´Ù¸¥ µð·ºÅ丮¿¡ À§Ä¡Çϱ⠶§¹®¿¡ ¼öÁ¤ÇØÁÖ¾î¾ß ÇÕ´Ï´Ù. ¸®´ª½º
½Ã½ºÅÛÀ̶ó°í °¡Á¤ÇÏ°í ´ÙÀ½ ÈÀÏÀ» ´ÙÀ½°ú °°ÀÌ ¼öÁ¤ÇØ ÁÝ´Ï´Ù.
src/port/linux/Makefile.set ÀÇ ÈÀϳ»ºÎÀÇ DESTRUN=/var/run À»
DESTRUN=/chroot/named/var/run À¸·Î ¼öÁ¤ÇØ ÁÝ´Ï´Ù.
(While you're in there, you may want to change the other destination
paths from /usr to /usr/local. )
³×ÀÓ µ¥¸ó¸¸ »©°í´Â ¸ðµÎ chroot¾È¿¡¼ Á»´õ ¼öÁ¤ÇØ ÁÝ´Ï´Ù.
src/bin/named/named.h ÈÀÏÀº #include "pathnames.h" À» #define
_PATH_NDCSOCK "/var/run/ndc" À¸·Î ¼öÁ¤ÇØ ÁÝ´Ï´Ù.
INSTALLÈÀÏÀ» ÀÐ¾î º¸°í º¸Åë ¼³Ä¡¸¦ Çϳª ÀÌ
°÷¿¡¼´Â ¸¸µé±â¸¸ ÇÏÁö ¼³Ä¡¸¦ ÇÏÁö´Â ¾Ê½À´Ï´Ù. ¹°·Ð À̰͵µ INSTALLÈÀÏ¿¡
ÀûÇôÀÖ´Â °Í°ú ´Ù¸£Áö ¾Ê½À´Ï´Ù. ¾Æ·¡¿Í °°ÀÌ º¸Åë ¸í·ÉÇàÀ» ÀÔ·ÂÇØ ÁÝ´Ï´Ù.
#make clean #make depend #make
º¸Åë ÀÌÀü¿¡ rpmÀ̳ª ±âŸ ´Ù¸¥°ÍÀ¸·Î
¼³Ä¡µÇ¾î Àִ°ÍÀÌ ÀÖ´Ù¸é Á¦°Å Çصµ ÁÁ½À´Ï´Ù. RedHatÀ» »ç¿ëÇÏ´Â Linux¶ó¸é
bind, bind-utils, bind-devel, caching-nameserverÀÌ ¼³Ä¡µÇ¾î ÀÖÀ»°ÍÀÔ´Ï´Ù.
/etc/rc.d/init.d/named ½ºÅ©¸³Æ®°¡ ÀÖ´Ù¸é Áö¿ì±âÀü¿¡ º¸°üÇϴ°ÍÀÌ
ÁÁÀ»°ÍÀÔ´Ï´Ù.
This is the easy part :-).
/usr/local/sbin/named µ¥¸óÀ» ½Ç¼ö ¹æÁö¸¦ À§ÇØ ±ÇÇÑÀ» 000ÁÝ´Ï´Ù.
#chmod 000 /usr/local/sbin/named
named daemon ÈÀÏ°ú named-xfer(zone trandfer¸¦
À§ÇÑ ÈÀÏ)À» º¸Åë º¹»ç ÇÕ´Ï´Ù.
# cp src/bin/named/named /chroot/named/bin
# cp src/bin/named-xfer/named-xfer /chroot/named/bin
º¸Åë RedHat 6.0 system¿¡¼´Â ´ÙÀ½°ú
°°½À´Ï´Ù. -u ´Â ½ÇÇàµÈ ÈÄ¿¡ ³×Àμ¹öÀÇ º¯°æµÉ »ç¿ëÀÚ ID¸¦ ¸»ÇÕ´Ï´Ù.
-g ´Â ½ÇÇàµÈ ÈÄ¿¡ ³×Àμ¹öÀÇ º¯°æµÉ »ç¿ëÀÚ group¸¦ ¸»ÇÕ´Ï´Ù. -t ´Â
chroot¸¦ Àû¿ëÇÒ µð·ºÅ丮¸¦ ¸»ÇÕ´Ï´Ù.
>>>>daemon /chroot/named/bin/named -u named -g named -t /chroot/named
¿øº»¿¡´Â À§¿Í °°¾ÒÀ¸³ª Àú´Â ¾Æ·¡°°ÀÌ ¼öÁ¤ÇÏ¿´½À´Ï´Ù. >>>>daemon
/chroot/named/bin/named -u nobody -g nobody -t /chroot/named
¾Æ·¡ ½ºÅ©¸³Æ®´Â /etc/rc.d/init.d/named ¿¡ ÀúÀå ÇÕ´Ï´Ù.
#!/bin/sh #
#named This shell script takes care of starting and stopping #
named (BIND DNS server). # # chkconfig: 345 55 45 # description: named
(BIND) is a Domain Name Server (DNS) \ # that is used to resolve host
names to IP addresses. # probe: true
# Source function library. . /etc/rc.d/init.d/functions
# Source networking configuration. . /etc/sysconfig/network
# Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0
[ -f /chroot/named/bin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
# See how we were called. case "$1" in
start)
# Start daemons. echo -n "Starting named: " daemon
/chroot/named/bin/named -u named -g named -t /chroot/named echo
touch /var/lock/subsys/named ;;
stop)
# Stop daemons. echo -n "Shutting down named: " killproc named
rm -f /var/lock/subsys/named echo ;;
status)
/usr/local/sbin/ndc status exit $? ;;
restart)
/usr/local/sbin/ndc restart exit $? ;;
reload)
/usr/local/sbin/ndc reload exit $? ;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time /usr/local/sbin/ndc reload
>/dev/null 2>&1 || echo start exit 0 ;;
*)
echo "Usage: named {start|stop|status|restart}" exit 1
esac
exit 0
named.conf ¿¡ Àû¿ëµÈ ¼³Á¤ ¸î°³¸¦ º¯°æÇØ¾ß ÇÒÁöµµ ¸ð¸¨´Ï´Ù.
º¯°æÇØ¾ß ÇҰ͵éÀº ¾Æ·¡¿¹µé µîÀÔ´Ï´Ù.
directory "/etc/namedb"; pid-file "/var/run/named.pid"; named-xfer
"/bin/named-xfer";
(%ÁÖÀÇ%) Àý´ë directory ¾È¿¡´Ù°¡ /chroot/named/etcÀ¸·Î ÀûÁö ¸¶½Ê½Ã¿ä
/chroot°¡ /¶ó°í »ý°¢ÇϹǷΠÀ§¿¡ ¼³Á¤´ë·Î ÁøÇàÇÏ¿´´Ù¸é º¸Åë /etc/namedb
ÀÌ·¸°Ô µÉ°Í ÀÔ´Ï´Ù.
º¸Åë RedHat 6.0 system¿¡¼´Â ´ÙÀ½°ú °°½À´Ï´Ù.
/etc/rc.d/init.d/named start ¿¹Àü ¹öÀüÀ̳ª ÀÌ¹Ì ½ÃÀ۵Ǿî ÀÖ´ø°ÍÀÌ
ÀÛµ¿Çϴ°ÍÀÌ ¾Æ´ÑÁö ÁÖÀÇ ÇϽʽÿä Á¦´ë·Î µÇÁö ¾Ê¾Ò´Ù¸é log³ª ¼³Á¤À»
»ìÇǽʽÿÀ. ¾ðÁ¦³ª ±×·¸µíÀÌ ¹«¼Ò½ÄÀÌ Èñ¼Ò½ÄÀÔ´Ï´Ù.^^